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(54) System and method for securing a computer communication network 

(57) A system for providing a trusted computer com- 
munication network including a master decision. maker 
unit coupled to the trusted network; and at least one 
slave communication unit coupled to the master unit by 
a wide bus connection that has multiple unidirectional 
communication channels, and connected to a non- 
trusted network: wherein the trusted network is physi- 
cally isolated at all times from the non-trusted network, 
and all data transported between the trusted network 
and the non-trusted network is transported between the 
master unit and the slave unit. 



HOSTILE 
NETWORK 



18 



MASTER UNIT 
,6^ 



-10 



-14 



FlG.l 



12 



TRUSTED 
NETWORK 



CM 
< 

to 

CO 
LO 

CD 
LO 

o> 
o 

Q. 

LU 



Prirtt&d by Xerox (UK) Business Services 
2.16.7/3 6 



BNSDOCID: <EP 0959586A2_I_> 



1 



EP 0 959 586 A2 



2 



Description 

FIELD OF THE INVENTION 

[0001] The present invention relates to network secu- 
rity in general and. in particular, to a system and method 
for providing a trusted network which can be connected 
to a non-trusted network and remain secure. 

BACKGROUND OF THE INVENTION 

[0002] Nowadays, as network security has becpmfe: 
one of the major networking technology issues, many 
vendors offer a wide range of security products, solu-. 
tions and methodologies. . 
[0003] The most common security solution is the 
FIREWALL system. A FIREWALL is a system that 
based on the TCP/IP standard. According to that stand- 
ard, a stream of data is actually a collection of packets.. 
Each and every packet has a header that describes that ' 
packet. The most inportant information fields that are 
included in a packet header are the address of the 
source (which indicates who sent that packet), the 
address of the destination (which marks for whom this 
packet is intended) and the number of that packet'in that ; 25 
stream of data. Each and every stream of data rnay con- 
tain a single packet or many packets. While a. traditional . 
router normally checks the stream authorization by its 
first packet header only, the FIREWALL checks each." 
and every packet header. The FIREWALL can stop the^ 30 
streaming as it detects an illegal packet, one whose 
source or destination is not allowed by the network 
administrator, even if that packet is not the first one. 
Moreover, a FIREWALL can limit the .streaming intq 
specific ports and disable other ports access. But that 35 
kind of security is not enough to protect a trusted net- 
work against intrusion. 

[0004] First, it is a very easy to change a computer 
TCP/IP address. Suppose somebody knows that the 
trusted network FIREWALL allows a machine from 40 
address X. port Y to communicate with an Internal net- 
work member at address 2. same port Y. All the intruder 
has to do is to define its machine address to X. connect 
it to that network, and send data through port Y to 
address Z. Not only is changing a TCP/IP address a 45 
very easy thing to do. it can be done without leaving any 
traces. 

[0005] Second. FIREWALLS always check the port 
where data came from. Smart intruders know how to 
use the enabled ports in order to overcome the FIRE- so 
WALL system. For example, the FTP service is based 
on two opened ports, one for establishment and one for 
file transfer. A smart intruder uses the FTP mechanism 
in order to send data into the network He follows the 
establishment process and the first time the file transfer 
port is enabled, he communicates through this port. 
[0006] One of the most destructive ways to break into 
a system is an intrusion by trusted people. According to 



official research more than 50% of intrusions are 
caused by configuration errors made accidentally by 
trusted administrators. An organization network is a 
very complicated system. It consists of many TCP/IP 
5 addresses to be access enabled or denied, many serv- 
ices to be enabled or ignored etc. An error where a spe: 
cific address becomes accessible to the outside world is 
not a rare occurrence. All an intruder has to do is to 
scan the organization addriesses and services to find 
10 the first address and sei^vibe' that was hot hermetically 
^'??^?*^^^.n*^ ^^^^ scl^^^ess will beconie the gate where 
thiese intruders will come through: Unfortunately such a 
situatiori is not rare', and detection of such an intrusion 
is" very difficult. 

15. [OOpTJ Third, as FIREWALL is the only gate through 
vyhich all comnriunication must pass, that system pres- 
^[?9^ becomes a very sensitive matter. There are cases 
vvfi'ere the .FIREWALL is stopped and the trusted net- 
wprk.becpmes suddenly unprotected and directly con- 
20 ned^djp tbe outside woridj Such situations may occur 
if seJcurity ^ftvi^r^ operating system is 

"stuckJn" (but its conrimunication kernel is running), an 
adrp;nfstrator disabled the FIREWALL "just for couple of 
minutes", etc., The. latter situation is very common. An 
intruder sends rnany packets of data to the trusted net- 
wprK into an enabled and accessitjie address and port. 
That incoming stream of packets may lead to an over- 
*c«<^ situation., as. the. net^^ required to, transfer 
tljiise j^cKets/ifj^^^^^ is, too, high. the. network delay 
becomes v^ry' hj^^^^ also. M is known that for test arid 
maintenance procedures, as well as problem diagnostic 
processes, network administrators sometimes discon- 
nect the FIREWALL for a few minutes, in order to check 
if the problem comes from, that device. That is the time 
when a smart intruder goes inside the net, sends its 
hostile program into any address and makes it executa- 
ble ;: \^ '\ \. \ ; ■ 

[0008] There are many more situations where the 
FIREVVALL cannot provide a good enough . security 
solution for the trusted network. 
[0009] A conventional solution to the security problem 
is a packet filter. A packet filter, whether it is based on a 
TCP/IP. address or a specific siervice. port, cannot be 
assurped. nowadays to be a good solution for content 
threats. Viruses, Trojan horses and other hostile codes 
cannot be detected by the packet filter. A packet is the 
native form of transported data. Packet length may vary 
independently, packet tirning rr^y be spread randomly, 
the order th^ packets are. received is not necessarily the 
order they were transmiped.Jand other native features 
c^use a content detection process to work very hard in. 
order to detect .transported hostile applications at 
packet level. . , - 

[001 0] . Many security products use third-party, technol- 
. ogies ,tp dete^ct viruses. Trojan horses. Active X or Java 
scripits. All these products operate while data is rnoved 
from orie node to a'nbther/ As.it moyes, the data trans- 
portation delay time , becomes^a ^ significant factor. 
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Hence, many detection tods cannot exhaust their 
detection capabilities, as it takes too much time to 
implement the best detection algorithms. As a compro- 
mise solution, these tools look for a set of patterns and 
"signatures" that already are known as hostile code 5 
traces. 

[001 1 ]. Another conventional solution is the application 
gateway. The concept of this mechanism is .to build a 
gate where applications can send' and receive mes- 
sages. A message is actuaHy a. collection of packets. . 10 
The FIREWALL moves the message to a specific appli-/ 
cation, .usually a third-party one, and that application is 
required to handle that message, to accept It, to change 
it or to ignore iL 

[0012] As was mentioned before, such a mechanism is 
cannot provide the best results offered by current hostile 
code detection technology A message, ajthbugh it rep- 
resents a closed block of data, may. Ride part 6^ hostile 
code, not necessarily one that can easily be cfet^ed. 
As message transportation time is a major. fact or, d^tec- 20 
tion tirhe becomes important and as a result, al| the cTur- 
rently used tools make a relatively Superficial test of 
rnessages in order to quickly detect patterns and signa- 
tures of known hostile applications, as fast as possible. 
[001 3) Accordingly, there'is a long felt need for' and it 25 
would be very desirable to have a system and method ' 
for providing a trusted network which permits high 
detection of hostile applications; preyents unauthorized, 
access and 'services iri the network; while pefmittirig thfe ' 
trusted network to be connected to a hori-tfusfed net- 30 
work which has access to convehtibrial TCP/IF=* applica- 
tions.* . .. . ... 

SUMMARY OF THE INVENTION 

[0014] The present invention presents a radically dif- 
ferent approach to the solution of network security prob- 
lems. ' " * ^ ' ^ \ 
[001 5] According to the present invention, there is pro- 
vided a system for providing a trustied corhputer com- 
munication netvyork 'including a rriaster decision maker 
unit cbupled to the trusted network, and at least one 
slave communicatioiri unit connected to the master uriit 
by a wide bus (a connection bus that has multiple unidi- 
rectional communication 'paths) and connected to a 
nori-tru^ed network, wherein the trusted network is 
physically isolated a^t all times from the hon -trusted het- 
work, and all data transported between the trusted net- 
work and" the non-trusted network is transported 
between the master unit ahd the slave unit. 
[0016] According to a preferred ehTbbdiment of the 
invention, the hiaster unit includes a master computer 
coupled for standard computer communication wnth the 
trusted network, and coupled via a standard computer 
bus to a master wide bus gatfe card, and the slave unit 
includes a slave wide blis gate card coupled via a wide 
bus, as defined in the specification ; to the master wide 
bus gate based card'ard via a computer buis to a slave 



computer which, in turn, is connected to the non-trusted 
network for standard computer communication. 
[0017] According to an alternative embodiment of the 
invention, the system further includes a second slave 
unit, and possibly more slave units, coupled between 
the trusted network and the master unit. 
[0018] There is further provided in accordance with 
the present invention a method for securing a trusted 
computer communication network including the steps of 
disconnecting the trusted network from all non-trusted 
computer communication networks, inserting a system 
between the trusted^ network and the non-trusted net- 
wbi'k, the system including a master decision maker 
cbupled to the trusted network and a communication 
slave, and pernriitting transportation of data between the 
trusted network and the non-trusted network only with 
the permission of the master decision maker. 
[0019] According to a preferred embodiment of the 
invention, the step of inserting includes inserting a mas- 
ter unit inducing a master computer and a master wide 
bus gate card which constitutes a master decision 
rnaker, and a slave unit including a slave computer and 
a slave wide bus gate card which constitutes a commu- 
nication slave, by coupling the master computer to the 
trusted network, coupling the master wide bus gate card 
to the slave wide bus gate card, and coupling the slave 
computer to the non-trusted network. 
[0020] According to a preferred embodiment, the step 
of examining includes examining each file for improper 
authorization and hostile programs. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0021] . The preserit invention will be further under- 
stood and appreciated from the following detailed 
description taken in conjunction with the drawings in 
which: 

Fig. 1 is a schematic illustration of a system for 
securing a network constructed and operative in 
accordance with one embodiment of the invention; 
Rg. 2a is a schematic illustration of a system for 
securing a network constructed and operative in 
" ' accordance with another embodiment of the inven- 
tion. 

Fig. 2b is a schematic illustration of a system for 
securing a network constructed arKi operative in 
accordance with yet another embodiment of the 
invention. 

Fig. 3 is a schen>atic detail view of a master unit or 
slave unit according to a preferred embodiment of 
the invention; 

Rg. 4 is a schematic illustration of a system for 
securing a network according to one embodiment 
of the present invention; 

Rg. 5 is a schematic illustration of a system for 
securing a network according to another embodi- 
' ment of the invention; 



45' 



50 



3 



BNSDOCID: <EP 0959566A2 I > 



1 •> fl 



EP 0 959 586 A2 



Fig. 6 is a schematic illustration of the file transmis- 
sion process according to the invention; 
Figs. 7a, 7b. 7c, and 7d are flow charts of the func- 
tions of a sender and a receiver during the file 
transmission process according to the invention; 5 
Fig. 8 is an example of a file to be transferred, 
including a file header;.and 

Fig. 9 is a flow chart of the preparation of a file sig- 
nature according to one embodiment of the inven- 

^ . 10 



DETAILED DESCRIPTION OF THE INVENTION / 

[0022] The system of the present Invention offers a, 
radically different observation point on. the computer 15 
communication network security problem. The system 
physically cuts the wire between a trusted and a nqn- ' 
trusted network, and replaces the usual TCP/IP systern 
by a special mechanism. "That mechanism is not peer- 
to-peer based (as TCP/IP is), but a handshake mecha-. 20. 
nism, and it is controlled from the trusted side only. 
Thus, this system prevents the non-trusted side frorri 
enforcing communication processes, pushing data inde- 
pendently and overloading the trusted network, by 
requiring master unit approval of all communication 25 
processes. 

[0023] It is a particular feature of X\}e invention that the , 
system imports and exports static data, such as files., 
records, blocks, etc., rather than a stream of packets' 
When data is stored as a static block of data, all its infor-. • 30 
mation items are collected together, in a static state, in 
the right order. As static data is imported from the non 
trusted side to an isolated location, whether in the 
trusted network or an isolated area between the two 
nets, this static data is completely checked by third- 35 
party detection tools for viruses and other hostile pro- 
gram. Since the data is checked under isolated and 
static conditions, all at once, these tools can reach their 
best detection performances, with the highest detection 
probability, as compared to other security systems and 40 
methodologies. 

[0024] It is a further particular feature of the system 
that, in addition to the abov^ features, it provides isola- \ 
tion of the trusted network forever, at run time, when , 
data is transported and even in case of a softw:are 45 
"bug", "crash", backdoororany kind of failure. Since the 
networks are not connected directly, and there are four 
to seven different independent stages that separate the 
trusted and the non-trusted nets, the possibility of a 
"short path", where these two nets will become sud- / 50 
denly connected to each other, is practically zero. 
[0025] Basically there are four things that make this 
system quite different from, conventional security , sys- 
tems: 

• 55 

It physically continuously disconnects ALL operatr 
ing system services and all network services, as it. 
cuts the network wire. 



It physically continuously isolates the two networks, 
the trusted network and the non-trusted one. 
The security level provided by this product does not 
depend on the stability factor of the operating sys- 
tem or the software. 

Data cannot be moved frorn one net to another 
unless it is in a static state, and has approval from 
the master unit. 



[0026] ... Thus, thertrusted network will never be 
expc^ed. to the non-trusted network services or operat- 
ing system, even when the transportation process takes 
place- and even if the operating system, as well as other 
software components, "crash" or fail to run. Further- 
more, detection of a hostile code will always be done in 
the master side, in the most thorough manner possible 
with the then current technology, and with the highest 
probability of detection, as compared with other security 
systems and products, . - 

[OP^Tl , Referring novv. to Fig. 1 , there is shown a sche- 
matic, illustration of a system for. protecting a trusted 
connputer: communication network constructed and 
operative in accordance with :one embodiment of the 
invention. The system of the invention includes a box 10 
, that connects two networks, a trusted network 1 2 and a 
non-trusted network 14. All transportation processes 
must be handled by,this box 10. Like many other secu- 
rity systems, the system of the invention is the only gate 
w^iere data can! be^mpy^d b trusted network 

and the non-trusted network. : : 
[0028] Unlike other security products, the present sys- 
tem includes more than a single unit. As seen in Fig. 1, 
the system consists of two kinds of units, a master unit 
16, which initiates and/or,approves all data transporta- 
tion processes, and a slave unit 18, which obeys the 
instruction^ of the master unit, and as a result, responds 
or executes those processes. It will be appreciated that 
these terms merely designate the relationship between 
these two units. There are two major configurations of 
the system of the invention: a two-stage device, illus- 
trated in Fig. 1, and a three-stage device, shown in Figs. 
2a and 2b. arid describetd hereiQbelow. ■ The two-stage 
device includes one master unit and one slave. The 
three-stage device 10' includes one master 16 and two 
slaves 18, 18'. with the master unit located in the path 
between the two slaves. In addition, itis possible to add. 
in any configuration acQprding to the invention, .a sepa- 
rate unit 19 to perform Computations and help reach 
security decisions, as,shown, ^r example. In Fig. 2b. 
[0029] As stated above, the system has two connec- 
tion points, i One is connected to the network that is 
assumed to be the non-trusted, ntetwork, called herein 
"the hostile, network". The other point is connected to 
the "secure network^, the one that.is considered as the 
confidential network and that Js- to be protected from 
hostile network attacks. As shown in Fig. 1. for both sys- 
tem types, a slave unit is the only one that is connected 
to the hostile side. In the two-stage device, the master 
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unit is connected to the trusted network. In a three- 
stage device, the master network is not connected 
directly to either of the networks, but is isolated from 
both sides. 

[0030] Referring now to Fig. 3, there is shown a sche- 5 
matic detail view of a unit 20 constructed and operative 
in accordance with a preferred embodiment of the 
invention. Each unit 20. whether it is a master unit or a 
slave unit, has two sections: a computer section 22. 
here implemented as a iSingle-Board Corriputer (SBC), io 
and a wide bus gate card 24. For ease' of defscriptibri; ' 
computer section 22 will be referred to as an SBC ' 
throughout the specification. It will be appreciated, how- 
ever, that alternatively computer 22 can be another- 
other suitable computer; or a number of SBC units, alt is 
coupled to the wide bus gate card. 
[0031] Wide bus gate card 24 includes a logic gate 
array chip, currently impliemented by ah FPGA (Field ' 
Programmable Gate Array) or ASIC (Application Spe- 
cific Integrated Circuit), and may include an assodiated ' 20 
microprocessor (CPU) for faist cornputatiGhs arKl other ' 
functions, as desired. Altenriatively, wide bus gate card 
24 can include a number of wide bus gate units, all cou- 
pled to the SBC. Wide bus gate card 24 is not an oper- 
ating system based card- Rather, it is a chip-based 25 
circuit that does not use any opierating system-based 
protocol for data transportation, h will be appreciated 
that this card is a dedicated card, designed for trhple- 
mentation of the present inventrbhi" Both the SBC 22 
and the wide bus gate card'24Vuse' a cbmDihatioh of ^ 30 
software and hardware, as described hereinbelow. Bioth 
sections include at least one independent CPU (not 
shown) that runs, independently, its own program. It will 
be appreciated by those skilled in the art that some or 
all of the functions described herein as being performed 35 
by wide bus gate card 24 could alternatively be per- ' 
formed in the SBC (i.ie., virtual) and, vice versa, somfe or 
all of the functions described herein as being performed 
by the SBC could alternatively be performed by wide 
bus gate card 24 (i.e., hardware). 40 ' 

[0032] The SBC 22 can include any conventional sin- 
gle board connp'uter, and is preferably a Windows NT ™ 
operating feystem-based application, which runs the 
application of the present invention as the nriaih Win- ^ 
dows NT ™ task- Alternatively, any other suitable oper- 45 ■ 
ating system can be utilized. 

[0033] In the three-stage, device illustrated in Fig. 2a, 
the master unit includes^ one SBC and two wide bus 
gate cards; or one wide bus gate card capable of com- 
municating with both slave units. The master SBC is not so 
connected to any network.; Each master- wide bus gate ' 
card is coupled to the slave wide bus gate card in one of 
the slave units. It will be appreciated that the wide bus 
gate card of the slave need not be identical to the wide 
bus gate card of the master. A'^ 55 
[0034] In the three-stage device illiistriated in Fig. '2b. 
the master unit is coupled to an additional network, 
known as a DMZ (De-Militarized Zone) network 17, ' 



which is not connected either to the trusted network or 
to the non-trusted network. A DMZ network provides a 
network which is completely protected and physically 
isolated both from users outside a trusted network and 
from users inside a trusted network. Import and export 
of data from the DMZ network is carried out in the same 
manner as between the trusted and non-trusted net- 
works, as described in detail hereinbelow. 
[0035] Referring now to Fig. 4, there is shown a sche- 
matic illustration of a system for protecting a trusted net- 
work 32 from a hostile, or non trusted network 30, 
constructed and operative in accordance with one 
embodiment of the present invention. The system 
includes a slave unit 34 coupled to the hostile network 
30. and a master unit 36 coupled to the trusted network 
32. Slave unit 34 includes an SBC 40 and a wide bus 
gate card 42. Master unit 36 includes an SBC 46 and a 
wide bus gate card 44. Slave unit 34 is coupled for com- 
munication to master unit 36 via a wide bus 38. It will be 
appreciated that, in this way, hostile network 30 is phys- 
ically isolated at all times from trusted network 32. 
[0036] Wide bus 38 is a non-supported high-speed 
bus. which consists of essentially any connection bus 
having several unidirectional data channels or commu- 
nication lines that connect two wide bus gate cards. 
Each channel can be, for example, an 8, 16 or 32 bits 
wide channel. Each card has its own input and output 
channels, sending its own data through the output chan- 
nel, and receiving incoming data through the input 
channel, in sequence or in parallel. 
[0037] In operation, data to be transported is written 
into the output channel of the sending unit. Receiving of 
written data is up to receiver card only. If the receiver 
refuses to handle the incoming data, the sender can do 
nothing, as it cannot control the way the other card 
works. 

[0^38] As will be described later, communication 
through wide bus 38 is not a simple IO operation based 
communication. It is Clear that the wide bus does not 
support the standard conputer network systems, since 
all these systems were designed for a standard single- 
line Ethernet connection, rather than a parallel multiple- 
line bus. Wide bus 38 is not only a muKiple-line bus that 
is unsupported by commercial communication stand- 
ards or standard operating systems, but it also has the 
ability to avoid any kind of data transportation process, 
even simple native IO commands, tat were executed by 
the processor itself 

[0039] The standard computer communication net- 
work, whether it is the hostile or the trusted net, is 
always connected to the SBC. Units exchange data 
through the wide bus gate card, and only through these 
sections. The internal communication between the SBC 
and the wide bus gate cards is done through a standard 
computer bus 28. which may be. for example, a PCI or 
ISA bus. The SBC can freely write data to the wide bus 
gate card, but does not have direct access to the wide 
bus. 
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[0040] It will be appreciated that the master and slave 
units are not identicaL It is a particular feature of the 
present invention that only the master unit can approve 
a communication process. The slave unit executes such 
processes, but it cannot create a new communication 5 
process by itself, unless it was approved by the master. 
In addition, the slave can request the master to initiate a 
communication process but the master unit can ignore 
that request or refuse, to complete it' Thus, since the 
master unit is connected to the trusted network only, or 70 
is isolated from both sides as in the case of a three^,' 
stage device, the communication process . ciannot be 
controlled by the non-trusted side, in any case. 
[0041] With further reference to Fig. 4, the information . 
transport process from one net to the other, illustrated is 
schematically in Fig. 6. will now be described in regard , 
to a two-stage device, by way of example. According to. 
the concept of the present invention, a "communication 
process" is a process that copies static data, any kind of 
data (file, record, block), from one memory in one net- 20 
work, to another memory region in the other network In 
order to move data from one side to another, the master 
unit must enable an "data import" or a "data export" 
process. 

[0042] A data import process is a process where static 25 
data is pulled from the hostile network into, the trusted 
one. This data must be checked against hostile code 
such as viruses. Trojan horses, Java scripts. , Active-X 
components etc. A data export process is a process . 
that pushes static data from the trusted network to the -30 
hostile one. In this case, the content will be checked in, 
order to avoid confidential data leakage. In both cases 
the master unit is the only unit that can enable or disa- 
ble the process of moving static data from one net to 
another. 35 
[0043] As seen in Fig.4, between the hostile rietwork, 
30 and the trusted network 32, there are four different 
sections, two in each unit 34. 36. The wide bus 38 that, 
connects units 34 and 36 has several unidirectional 
channels. There are two important channels in each 40 
unit that are relevant to the communication process dis- 
cussion. One is called the Input channel" and the other 
is the "output channel". Each and every unit has both . 
channels. Each and every unit can transmit static data^ : 
through the "output channel" and it independently as 
receives other static data through its "input channel", 
either in sequence or in parallel. 

[0044] Rve steps are required for importing data from 
the hostile side into the trusted one: 

50 

Step 1 : The hostile side SBC 40 picks up the data 
and stores it in its memory. - : 

• Step 2: Hostile side wide bus gate card 42 pulls that 
data from the SBC memory and moves it to the. 
trusted side wide bus gate card 44. 55 
Step 3: The trusted side wide bus gate card 44 
moves the data to the memory of the trusted side 
SBC 46. 



Step 4: The trusted side SBC 46 checks the stored 

content against hidden hostile code. 

Step 5: The trusted side SBC 46 copies the stored 

approved data to the appropriate location in the 

trusted side (if no hostile code was detected in step 

4). 

[0045] Each step will now be described in detail. Flow 
charts of the functions of the master unit (in this case, 
the^receiver) and the slave unit (in this case, the sender) 
are shown in Figs. 7a, 7b, 7c, and 7d. First, the master 
SBC 46 sends an import request to the master wide bus 
gate card 44 (Fig.. 7a, block 50). When master wide bus 
gate card 44 receives an import request message (Fig. 
, 7b, block 52), the master wide bus gate card 44 sends a 
request to the slave wide bus gate card 42 for that file 
(Fig. 7b, block 58), When the slave wide bus gate card 
receives the request (Fig. 7d. block 56), it forwards the 
request: to the slave SBC 40 (Fig. :7d. block 60). These 
V requests . can be signed, and/or coded, and/or 
encrypted, as desired. When slave SBC 40 receives the 
import request from wide bus: gate card 42 (Fig. 7c, 
blpck^54), slave SBC 40 reads the entire required data 
from where it is currently stored (Fig. 7c. block 62). and 
builds , data header record (Fig. 7c. block 64). The 
header is a fixed size record that contains information 
about 4he data such as its age, size, where it was 
stored, etc. The data header can include additional 
parametersv such, as -communication information.' In 
addition, the header < includes the . original location 
(source) and destination address: The most important 
fieldjn the data header is the signature, which is com- 
puted by slave SBC 40 (Fig. 7d. block 66). Without a sig- 
nature, no data can be used in the network in which it is 
received. 

[0046] According to a preferred embodiment of the 
invention, the signature is a large number (e.g.. 1024 
bits long), that "describes" the specific collection of 
bytes that are stored inside the header record and the 
entire data content. One example of static data to be 
transported, including its header, is shown schemati- 
cally in Fig. 8. It is generated from both the file header 
and.Qontent bytes. Preferably, building the signature is 
based on a special function that takes a secret key and 
a stream of bytes consisting of the data header and the 
data content bytes, and as a result generates the signa- 
ture number. This, function is a very fast one. Both the 
SBC and the wide bus gate cards know the secret key 
value and, thus, a secret key transaction > over the com- 
puter bus is not necessaify. . ' ' < ' 
[0047] One way to ^generate a signature for data. - 
whether it is a file, record, or block; is illustrated in Fig. 
9. The mechanism is based on' a- function that takes a 
secret key. for example. 1024 bits long, and a stream of 
bytes, and as a result it returns ariother number of the 
same length. At the beginning; the -function assumes 
that the file signature. is the- siecret'^key itself (step 1). 
Since the secret key.is changed every time data is sent. 
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or periodically, even two identical blocks of data may generation takes the cun-ent secret key and rotates it K1 

have different signatures. Now the function takes each bits to the right (i.e.. bit 0 becomes bit 1023. bit 1 

and every byte from the data header record. Before becomes bit 0 and finally bit 1023 becomes bit 1022) 

reading this record, it assumes that the signature field, then it "xors" it with the K2 value. The K1 and K2 values 

inside that record, is zero (step 2). This field is to be 5 are the permanent values known to both sections. The 

updated with the new generated signature as the gener- resulting number becomes the current secret key. No 

ation process is completed. further actions are required. 

[0048] Each and 'every byte is "xored" with the appro- [0053] Preferably, the secret key is replaced by a new 

priate byte in the current computed signature value value after data has been moved completely from the 

(step 3). The first byte from the- data header is '^xbred" 10 SBC to the wide bus gate card (step 7), and upon mas- 

with the first byte from the current signature, the second - ter wide bus gate card request, generated every couple 

byte from the data header is "xored" with the second ■ of miriutes, randomly. 

one at the current signature, etc. In. the given example; - [0054] The secret key can be changed in any manner, 

the signature value is 1024 bits long (128 bytes). Hencei ■ as long as it is kept unexposed to the conputer bus. 

inthiscase. the 129*^ byte from the data header will be 15 One possible method, given by way of non-limiting 

"xored" with the first byte from the current sigriature-'- example only, is as follows. Since at run time the net- 

(step 4). After the data header bytes are cdmpleteiry works' jacks are connected, a transaction of confidential 

"xored" with the appropriate bytes in the current sigrta- information through the computer bus is not allowed, 

ture, the function takes the data cbiTtent bytes and^cbn- ■ Hence, the secret key is changed without explicit trans- 

tinues the computation in the same way As all data 20 portation of the new value. The process is slightly differ- 

content bytes were eonrpletely "xored" with the Current ent if the request comes from the SBC or the wide bus 

signature (step 5). the resulting accumulated value is to gate card. If the SBC wants to change the secret key. it 

be the data signature value. That value is now written sends a command to the wide bus gate card "please, 

into the data header record, to the signature field: change the secret key. Repeat this process N times". 

[0049] The secret key is the basis of the data signa- '25' The N value is randbmly generated by the SBC and is 

ture generation process described above. In each unit, the only explicit value that is transferred through the 

both sections use the same secret key. at the same computer bus. Such a command will never be gener- 

time. However, while the system is running, a ti-^nsac- ated by the SBC unless data was completely moved 

tion of that secret key over ithe: computer bus is riot i (Fig- 9, step 6). This command will always be a part of a 
allowed, and a special mechanism is used for synchro^' '30 "data transport process, and the N value will be part of 

nization of these two sections. A random numbers gen- the data header (Fig. 8). The wide bus gate card will not 

erator is used as a part of the secret key generation. perform that command if it is not part of a data transport 

Using a conventional pseudo-random generator, which process. Alternatively, any other method of changing 

is based on the system clock, may lead to very poor sto- the secret key can be utilized. 

chastic behavior, as the series of random values may be 35 [0055] In response to that connmand. as long as it 
too short. Therefore, the security system preferably appears as part of the transported data header, the 
uses a real random numbers generator in ordefr to niini- wide bus gate card computes the NEXT secret key. the 
mize the secret key guess probability. secret key after Nth cycles. At the same time, the SBC 
[0050] A prefen-ed method of genei-ating a secret key changes the secret key in the same manner (Fig. 9, step 
is as follows. Seaet key generation uses a function that 40 7). Now, both sections are synchronized again, 
takes three arguments: two permanent values (that will [0056] When the wide bus gate card requests the 
remain constants as long as system is running) and the secret key replacement, it sends to the SBC a simple 
current secret key value (that wilt be periodically set of commands such as "rotate secret key N bits to the 
changed). Asa result, it returns a number. That number right" or "rotate., to the left" or even "invert the secret 
is the secret key. . , . ' 45 key bits N1.N2,N3.." etc. Again, no explicit values are 
[0051] The permanent values are randomly generated moved over the computer bus. Moreover, the com- 
by the wide bus gate card at startup time. Since, at that mands and their parameters are randomly generated by 
time, the system (i.e.. the hardware described above) is the wide bus gate card. Both sections execute the corn- 
physically disconnected from both networks, it is safe to mands, the SBC follows the wide bus gate card instruc- 
send these values to the SBC. through the computer • so tions and the wide bus gate card executes its own, and 
bus. In addition, the wide^ bus gate card generates . thus these two sections become synchronized again, 
another number which^ is . cor^sidered as the current [00571 As stated before, a real random values gener- 
secret key number, and itvsends that number to the ator is requiredinordertbincrease, and spread, the val- 
SBC, right after the permanent .values. Now. both sec- ues distribution, over a wide range. Thus, it is most 
tions are synchronized: tx)th. use the same function . 55 preferred that the random values generator not be a 
(because they use, the same permanent values) and ^ software and clock-based mechanism, but a hardware 
both start from the same, initial value of a secret key. circuit. This circuit can be based, for example, on a sim- 
[0052] One example of the function of a secret key pie ZENER diode, and it samples the noise amplitude 
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generated over that component. (Amplification of that 
amplitude is required, but it does not change the ran- 
dom behavior of that circuit). As white noise amplitude 
presents real random behavior, it provides a real ran- 
dom numbers generator. The sampled values are con- 5 
verted into a stream of bits and are used as random 
numbers. 

[0058] After the data header construction process is 
completed, the slave SBC will store this, bytes collection 
in its memory. That collection of bytes has two portions: 10 
the first contains the bytes that were stpred iriihe data 
header record, the second . contains the data content., 
bytes. ' 
[0059] In step 2, the slave wide bus gate card pulls the 
data from the SBC's memory, and moves it to the is 
trusted side (master) wide bus gate card. (Fig. 7d, block 
56). As the first byte is pulled from the slave SBC to the 
slave wide bus gate card, the latter moves that byte 
directly and immediately into the wide bus; tp the "data 
input" channel of the other unit, master wide bus gate 20 
card. Since the data header is the first block of bytes to 
be sent, and since it has a fixed size, the rnaster wide 
bus gate card knows what is the size of the data to be 
sent right after that header block, arid what is the 
argued signature of that data, as was computed by the 25 
SBC. 

[0060] It will be appreciated that the wide bus gate 
card is not a part of the SBC operating system or the 
SBC address space. The only way the SBC and the 
wide bus gate cards can communicate with each other 30 
is by direct pulling of bytes from the SBC's memory by 
the wide bus gate card. Since the wide bus gate card 
knows how to extract the data size and the data signa- 
ture, it pushes the pulled bytes to the other side, and at 
the same time, it checks if the data pulled from memory 35 
was properly signed. 

[0061] While bytes are pulled from the slave SBC by 
its slave wide bus gate card, the latter calculates the 
data signature by itself. After the last byte was pulled 
and immediately sent to the wide bus gate card, the 40 
slave wide bus gate card checks if the computed accu-, 
mulated signature is identical to the one argued by the" 
originator of that data (which normally should be the 
SBC card). If they are identical, it means that the data 
was correctly signed. It should be noted that signing „ 45 
data has nothing to do with network access control, so 
breaking the signature system, which is very hard to do, 
does not make the trusted network vulnerable. 
[0062] If the data signature is verified, then the sjave 
wide bus gate card will signal the master wide bus gate - so 
card that the sent data signature was confirmed. If it 
wasnl, it will instruct the master wide bus gate card to 
delete that data Jrom the trusted side. 
[0063] In the third, step, master wide bus gate card 
moves the data to the trusted side (master) SBC's mem- 55 . 
ory The rnaster widQ bus gate card in the trusted side 
receives bytes that were sent from the slave wide bus, , 
gate card, including the data header and the data con-. 



tent. 

[0064] Each and every byte is received through the 
"input channel" and it is immediately encoded by the 
receiver (master) wide bus gate card. This encoding 
process is based on a specific key e.g., 1024 bits long, 
which is knowri only to the encoder. This key is gener- 
ated as the first byte is received and it is a part of the 
wide bus gate card, hence there is no way to success- 
fully guess or extract that key - 
[0065] ; feach and everyjencoded byte is pushed to the 
master SBC card. The master SBC card is required to 
store that incorning stream of bytes in its memory Since 
that data is encoded, and the SBC knows nothing about 
how that stream was encoded (i.e., it does not know 
what the encoding key is). , this stored bytes collection 
has a meaningless content, from a binary or execution 
ppint of view, if this data stores any kind of virus, Trojan 
horse or, any other types , of hostile code, the hostile 
cpde IS, encoded, and the data is new non-infected, as 
well as nonrusable. data.. 

[0066] , . the rnaster SBC now checks the stored con- 
tent against hidden hostile code. The trusted side SBC 
stores bytes pushed by the ma^er wide bus gate card in 
their encoded form in its memory As the last byte is 
sent from the slave from the slave wide bus gate card, a 
signature confirmation is requested. That confirmation 
is to be received from the slave wide bus gate card as 
was. described above in step 2. if the signature is not 
confirmed.JhjE^n the.fr wide bus.gate card. will 

instruct its ^SBC to delete ^e date from its memory. 
Since the data is stored as an, encoded collection of 
bytes, nothing is affected when this data is deleted. At 
that point the communication process is, terminated, 
since the transported data was not verified by the 
sender. 

[0067] . If the signature is conf irmed; by the sender, the 
master wide bus gate card instructs the master SBC to 
take control of that data, In addition, it "tells" the SBC 
the secret, key. that vvas used for encoding that data. 
When pe key is. known, the trusted side SBC can 
decode the. stored content and make it usable. Before 
making that data usabte,. the SBC checks its content 
against viruses, Trojan horses, /Vpliye-X components, - 
Java scripts etc. Alternatively, the encoding algorithm 
can be provided to the software which checks the con- 
tent, so that it can be examined while still in its encoded, 
harmless form. ; 
[0063] These checks are performed after data is com- 
pletely moved, arid not at the. time it is transported, 
hence the detection tools have the chance to check the 
whole data content, all at once. . Moreover, since the sys- 
tem acts rnuch like an. off-line system, the time factor is 
less sensitiyiB and. significant ,^s it comes into system 
performance .considerations.^Thus. there is enough time 
for the scanners and detection ,tools/to run the best 
algorithms they can, with the maxirnum possibilities and 
available features.. , . ' . ^ 

[0069] Finally, if the data vyas checked and no hostile 
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code was detected, then the data will be moved from its 
teriiporary location in the SBC's memory to the appro- 
priate location in the trusted network. Note that the data, 
in its temporary location, includes not only the coritent. 
but the original header, too. Before moving the data to 5 
its final location in the trusted network, the SBC extracts 
its content; converts this content into a separate bytes 
collectibn, sets the parameters of this new bytes collec- 
tion (as was extracted from the header), and mpves that 
new bytes collection to Its final locatibh in the trustecl • 10 
network. ' " ■ *^ - ^ • ' 

[0070] The "data export" process is much/ like' the 
'data import" process. However, althbugh 'both pfoc-' 
esses are controlled by the master unit, and ohiy by the 
master unit, the import process is intended to reaci data ' 75 
stored somewhere over the non-trusted network, 'while 
the export process is intended to expose thd conterit of ; 
data, stored somewhere oyer the trusted" netwbrk; 
Therefore, the content sensitivity is quite differehi" An' 
imported data content is checked against viryses; Trp- 20 
ian horses, and other hostile executaWe'^ codes! An 
exported data content is checked mainly against acci- 
dental exposure of confkJential data, . ' ' 
[0071] In order to import data from the outside world, 
the system of the inverition reads the data and then per- 25 
forms the transportation process ' deiscribed abo\^e. 
However, in order to export data from the trusted net- 
work, the system must first verify the source of the data, 
so as to ensure that th^ data ii ' expori^bfef Preif^rabl 
the systeni explicitly identifies the owner of the data. 30' 
(i.e.. who created arid holds that data), although this is 
not required. In su^h cases, the data will be exported 
only after the data owner is confirmed. The export proc- 
ess uses the same transportation mechanism as does 
the import process described above. ; 35 
[0072] Referring now to Fig. 5, there is shown a sche- 
matic illustration of a three-stage device accord irig to 
one embodiment of the invention insei^ted between a 
trusted network 70 and a non-trusted network 72. The 
three-stage device includes a first slave Onit 74 con- 40 
nected to trusted network 70,' a second slave uriit 76 
conneicted to ribn -trusted network 72, arid a master unit 
78 connected between first^siave unit 74 aVid >ecbnd 
slave unit 76. , .* ' .... -v:^.- 
[0073] First slave unit 74 includes a first slave compu- 45 
ter 80 connected to trusted network 70, and a first slave 
wide bus gate card 82. First slave wide bus gate card 82 
is coupled to first slave corriputbr 80 by a computer bus, 
and is coupled to master unit 7iB by a wide bus 84. Sim- 
ilarly, second slave • unit ' 76 ' includes' a second slave so 
computer 8'6 connected to trusted' network 70. and a 
second slave wide bus gate card 88. Second slave wide 
bus gate card 88 is coupled to second slave computer 
86 by a computer bus. arxJ is coupled to master unit 78 
by a wide bus' 89'. Mafeter unit 78 includes a master com-' 55 
puter 90 and two wide bus gate cards 92. 94. one con- 
nected to each slave wide bus gate card. * ' ;\ ' 
[0074] The operation of the thr^e-stage device is a lit- 



tle different from operation of the two-stage device. In 
the case of a three-stage device, the data is not moved 
directly into or out of the trusted network, since the mas- 
ter unit is isolated from both nets. Instead, the data is 
first imported froni the slave unit coupled to the sender 
network to the isolated region where the master unit is 
located. The master unit then checks the data, and 
decides whether to delete it' or to export it into the 
receiver network. It will be appreciated that each of 
these d^a transportation processes is the same as 
used by the two-stage device, described above. In each 
case, the master computer 90 initiates or authorizes the 
import and export processes. 

[0075] It will further be appreciated by those skilled in 
the art that the three-stage device system offers a 
number of advantages relative to the two-stage version: 

It isolates the master unit, where security decisions 
are made, from both sides. Network attacks on the 
security system itseH cannot take place whether 
that attack originates from outside world users or 
inside traitors. In addition, critical information used 
by the master unit is also isolated arid protected 
from access and attacks by both sides. 
There is no way to cause other progranns to start 
running in the master unit. Hence, this unit is abso- 
lutely free of accidental execution of viruses or 
other hostile programs. 
• While the. two-stage device includes four different, 
, indepiendent sections (one SBC and wide bus gate 
card in each side), the three-stage device includes 
seven sections, one SBC in each unit and three or 
four wide bus gate cards, one in each slave and one 
or two in the master unit. Hence, a "bug", "crash" or 
any kind of error that could lead to a trusted network 
exposure becomes much rarer than in the two- 
; stages device (although for both versions this pos- 
sibility is practically nil). 

[0076] It is a particular feature of the systenns of the 
present invention that the networks are isolated not only 
physically, but also logically, so that data streaming is 
prevented. Thus, a node in the hostile network is not 
able to exchange data directly with a node in the trusted 
netWork. Instead, transported data must be handled by 
the system's internal kernels, involving the master and 
slave units, and neither the operating system nor the 
network kernel have any control of how data will be 
moved between the nets. 

[0077] In addrtibn, the standard computer communica- 
tion protocols are non^perative between the two net- 
works. Thus, the present system disables any initiation 
caused by the hostile side, no matter who tries to push 
data, where that data came from etc. 
[0078] Furthermore, the present system forces the 
communication between the two isides to be hand- 
shake based. That means that the data must be 
accepted in the other skJe and a response to that incom- 
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ing information must be provided, otherwise the data 
will not be moved. 

[0079] As already described, in order to send a block 
of data through the wide bus gate card, one must know 
how to sign that block. Extraction of the secret key and s 
the function permanent values, which are the only 
secrets that are required in order to correctly sign a 
block of data, is a very non trivial task. Take, for exam- 
ple, the secret key. It is a key which is very long, may be 
scrambled inside a stream of bits several orders of r^ag: io 
nitude larger, somewhere in the mernqry space in a 
memory region that is re-addreissable periodically; and . 
is locked inside the memory area In such a way that it is" 
never swapped with any disk page (thus no copy of ttiat , 
memory can be found in the disk). Moreover, the secret is 
key value Is changed from time to time as was previ- 
ously explained. Alternatively, or In addition, the value of 
the secret key can be protected in any other fashion. 
[0080] As long as the master unit does not perform a 
"data Import" process, no Intruder is^capaWe of sending so 
data into the trusted network. Even if the nrtaster unit 
requests to export data, an intruder cannot 'push his, 
data, as the system pushes and pulls data in diffe^rent 
channels, asynchronously. 

[0081] It will be appreciated, that without help from 25. 
someone inside the network, an intruder will not.be able 
to overcome the master unit and create an effective 
data stream by which hostile material can be pushed 
into the trusted system. Even with insider help, rt Is " 
extremely difficult to overcome all the uniquie elements so 
In the systeni. And, if the master unit, the only unit that 
controls the flow of data, is Isolated from the trusted net- 
work too. as in the case of a three-stage device, it is not 
only a very hard task to create a stream of data, It Is very 
nearly Impossible. 35 
[0082] It is a further particular feature of the invention 
that the system is insensitive to software and hardware 
"bugs", crashes and other failures. Regarding bugs, the 
system of the Invention includes four or seven sections 
depending on the system type. The networks are not^ 40 
connected, so at the time the system woi-ks. there is no 
data streaming or any network or operating system 
services between the networks. A situation where all 
these four or seven sections haye a "bug" that bypasses 
each and every section functionality and creates a 45 . 
"short path", at the same time, is practically non-exIst-V 
ent. 

[0083] An operating system crash will not cause the 
system to suddenly connect the trusted network to the. 
hostile one. since the wide bus gate cards are not oper^ so. 
ating system based circuits. These cards may be con- 
sidered to be well debugged and stabilized sections. 
Since the wide bus gate card is the gate through which 
all communication sessions must pass, even in case of 
an operating system crash, back door, failure etc.. the ss ., 
trusted network will not became connected to the hos- 
tile one. 

[0084] In addition, there exist many configuration . 



errors that can lead to very destructive results. Some of 
them are no longer relevant since the traditional serv- 

• ices cannot be supported through the system's chan- 
nels. Other configuration errors, that could lead to 
destructive or unpredictable results in conventional sys- 
tems, are not problematic in the system of the present 
invention! 

[0085] For example, perhaps the most dangerous sit- 
uation occurs when ;^ or administrator 
exchanges the jacks of the trusted, network and the hos- 
tile network. , In that. case, the.trusted network becomes 
the "hostile" one, and vice.versa. However, even in that 
c^se, In the present Invention the trusted network Is not 
exposed to. the outside world, One way to avoid such a 
situation Is as follows. When the system is f irst Installed, 
It creates a file somewhere in the.trusted network. That 
file contains information randomly generated by the unit 
^^!"®^*^ **^,^*??*rHS*®cl side. Moreover, most prefera- 
bly ttiat infprmatlon is randomly changed after data is 
completely moved, In or out. from the trusted network. 
Before any."6ai^ import" or "data export" process starts 
running, both sides of the s^^stem look for that file. If the 
unit whiph is supposed to be connected to the trusted 
side cannot find that file, and/or the one that is sup- 
posed to be connected to the hostile side can find that 
file, then the process will not take place. Only when the 
trusted side gnit f In^s the file (and, of course, verif ies Its 
content), and the hostile side unlt.Ciannot find It. can, a 
file trarisferocqu^^ the wires may Jead 
to a warriin^ message,;but^n^^ data leakage. It will be 
appreciated that there are also other ways for the mas- 
ter to confirm that it Is connected to the trusted network. 
[0086] One of the known targets of hackers is the con- 
figuration file. Intruders will try to modify that file or, at 
least, to read its conterit in order to learn the protection 
scheme and to. find an already opened gate to come 
through. The system qf the invention holds all configura- 
tion files In. the master side. The slave units' configura- 
tion is pushed to the slave units at initialization time by 
the master unit. Thus._ there is no file, block of data,- or 
any kind of trace, that can be found In the slave unit disk, 
hence.the configuration ,setup Is protected. 
[0087] A number of other security features can also be 
offered by the system. These Include: 

• The slave units report their log events to the master 
unit. No log file or ^ny other log report will be saved 
In the slav^ unit side. The master unit vyill keep all 
system log repo^rts. for both, his e/ents and other 
units! events. . - ^. - l-,.: . . / 

• Each and every unit, whether it Is a rpaster or a 
slave unit, runs it$ own set of self -protect- proce- 
dures. This set preferably includes: 

*f other.i;unnlngprogranTs ar^ detected, the unit 
locks its own wide bus gate card and tries to kill 
. that program. As long as the detected program; 
Is running, the wide bus will.remain Inaccessi- 
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ble, hence transportation between the two nets 
will be denied. 

If the system clock or calendar was changed, 
not by the system itself, the system will force 
the administrator to check the reason for that. 5 
Any change of unit disk size, free space, 
number of directories or files etc., will lead to a 
system response that may vary from an admin- 
istrator notffication messcige. up to a "brute" 
reset of whole systerpT' " ' ' ■ ~" ' \ io 

Any "time-out" error while communicating With 
the wide bus gate card or the olher linits' will 
lead to a system response that'may vary from 
an administrator notification message up to a 
"brute" reset of whole system. is 
• Any change in thie IO architecture (such as 
addition of a new card) will lead to a system 
response that may vary from ah administrator' 
notification message up to a *t)rute" i-eset of 
whole systerh. ' ^ ' ■ ' ' ' I 

Any change of system hardwiare profile (such 
as dfsk replacement or addition, version 
replacement etc.) will force the admihistKatbr to 
" confirm these changes: ' . *" 

' ' ' - \[ 25 

[0088] It will be appreciated that, although the system 
of the invention presents a very non standard architec- 
ture and it is a non streanriing -based transportation sys- 
temrit meets a wide range of cbrrtrhercial applic;^tions/ 
and it does not require any special interface' Sr pr^ara- 30 
tioris. As an example, we will ^how how if rheets the 
most popular* application area where the security mar- 
ket is focused today, the Internet. 
[0089] An Internet site is a directory somewhere in the 
world wide network, in a disk that belbngs to a server, 35 
workstation or a PC client. Essentially, the Internet is a 
filed-based network, the HTTP standard is actually a 
"file import" and "file export" standard, and; in general, 
HTTP is a "data import" and "data export" protocol.. 
Accordingly, the system of the invention can be used as 40 
an' Ihterhet conriection gate for HTTP, FTP. electronic 
mail, and other protocdls, having extremely tight secu- 
rity features. ' ' - ' =~ ' 
[0090] There are many other kindis of applications ' 
where transported data is in static data form (i.e., block. 45 
record.' or file). Connection between a trusted and non 
trusted network for such applications can be safely 
implemented through the use of the present system. 
Two extremely different examples are given below: 
[0091] Fax servers. A fax server is a server that from so 
one side is connected to 'a telephone line and from the 
other side is connected to the trusted netWork: Although 
basically that server functions as a fax receiver, there is 
no guarantee that other users, from the outside world, 
will not intrude on the trusted system through the tele- 55 
phone line. The system of the present invention can iso- 
late the fax- server from the trusted network, as it 
imports the fax files (.TIFF files) from the server disk 



into the trusted network. 

[0092] Backup of confidential information. Confidential 
information exposure can be very damaging. Even with- 
out exposure of information, an organization may seri- 
ously suffer from unauthorized access or usage of 
confidential files. The system of the present invention 
can be used to import these files from all over the inter- 
nal organization network into a backup networK one 
that is inaccessible to organization network users. Thus, 
these flies will remain protected and access is denied, 
as the networks are not ^connected. In order to restore 
these, files, the administrator must run the file export 
processes from the backup network itself, not from the 
users* net. 

[0093] An additional use for the present system is to 
check for hostile content, such as viruses, which are 
passed over an enaypted communications channel. In 
conventional systems, it is virtually irrpossible to do this, 
since the private keys for encryption are not known to 
all. Without decryption of the data, examination for hos- 
tile content cannot take place. In the present system, on 
the other hand, the user's computer on the trusted net- 
work creates an encrypted channel to the master. The 
master and the computer both know the private keys 
and the public keys. The slave also creates an 
encrypted channel to the computer, generally, but not 
limited to. a server computer in the non-trusted network, 
to which the slave and the outside computer have a dif- 
fererit set of public arid private keys. When the master or 
slave receives data over the encrypted channel, they 
are able internally to decrypt the data (since, as stated 
above, each Kncws the relevant keys for its own chan- 
nel), and send the decrypted data to be examined for 
hostile content, such as viruses, Trojan horses, Active-X 
components, Java scripts, defectors, etc. If there is no 
hostile content, the data is passed through the other unit 
(slave or niaster, whichever did not receive the data 
originally) to the second network, either re-encrypted or 
not encrypted, as required. 

[0094] The present system can provide these security 
advantages as it takes advantage of the time domain 
aspect of computer communications. Systems security 
is a processor-based job but transportation of data is 
the network equipment job. Although in the past seven 
years, the processing performance grew very rapidly, 
the relative communication bandwidth remained con- 
stant or grew very slowly. Nowadays, when a moderate 
Internet connection speed used by big organizations is 
about 2M bits/sec (for small and medium size organiza- 
tions the speed is even lower) and the in-computer 
mother-board bus speed is about 132M bytes/sec 
(more than 500 times faster), the remaining time can be 
utiliz^ for enhanced performance by the network secu- 
rity system. In this case, that gap is used for better con- 
tent checking, for a hand-shake based mechanism, for 
isolation implementation and more. 
[0095] It will be appreciated that the invention is not 
limited to what has been descrit>ed hereinabove merely 
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by way of example. Rather, the invention is limited solely 
by the claims which follow. 

Claims 



. A system for providing a trusted computer commu- 
nication network comprising: 

a master decision maker unit, coupled to the 
trusted network; and 

at least one slave communication unit coupled 
to the master unit by a vvide bus connection 
that has multiple unidirectional. communication . 
channels, and connected to a non-trusted net- 
work; 

wherein the trusted network is physically Iso- 
lated at all times from said non-trusted net- 
worK and all data transported between, the 
trusted network and said non-trusted network 
is transported between said master unit and 
said slave unit. , '\ 

The system according to claim 1, wherein said 
master unit includes a master computer coupled for 
standard computer communication with the trusted 
network, and coupled via a standard computer bus 
to a master wide bus gate card; and 

said slave unit includes a slave wide bus gate 
card coupled via a wide bus connection that 
has multiple unidirectional communication 
channels to said master wide bus gate card 
and via a computer bus to a siave computer 
which, in turn, is connected to said non-trusted 
network for standard computer communication. 

The system according to either of clairns -1 and 2. . 
wherein the system further includes a second.slave 
unit coupled between the trusted network and said 
master unit. 

The system according to claim 3, wherein said sec- 
ond slave unit includes a second slave wide bus 
gate card coupled via a wide bus connection -that 
has multiple unidirectional communication chan- 
nels to a second master wide bus gate based card 
and via a computer bus to a second slave computer 
which, in turn, is connected to said trusted network 
for standard computer communication. 

The system according to daim 2, wherein said 
computer includes a Single Board Computer, and 
said wide bus gate card includes a Field Program- 
mable Gate Array (FPGA). . 

The system according to claim 2, wherein said 
computer includes a Single Board Computer, and 
said wide bus gate card includes an Application 



3. 



5. 



10, 9. 



Specrfic Integrated Circuit (ASIC). 

The system according to claim 2, wherein said wide 
bus gate card includes a CPU. 

The. system according to any of the prec«:ling 
claims, wherein said non-trusted network is the 
Internet. ■ - . • , - - 

The . system according to any of the preceding 
claims, wherein all data-is transported in static data 
form between said master unit and said slave unit. 



15, 



101- The, system according, to any of claims 1 to 8, 
wherein all data is transported in message form 
between said master unit ard said slave unit. 
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• The system according to any of the preceding 
claims, further comprising an additional unit, con- 
nected to either said master unit or one of said 
- slav^ units,;toperform computations and help reach 
security decisions. 



12. The system according to any of the preceding 
claims, further comprising a physically isolated De- 
Militarized Zone (DMZ) network coupled to said 
master decision maker unit. 

"•^•aA Tiethpd for: securing a trusted computer commu- 
nication network comprising the steps of: 

disconnecting the trusted network from all non- 
trusted computer communication networks; 
inserting a system between the trusted network 
and a non-trusted network, said system includ- 
ing a master decision maker coupled to the 
trusted, network and a communication slave; 
and 

enabling transportation of data between said 
trusted network and said non-trusted network 
only with approval of said master decision 
maker. ^ 

14. The method according to claim 13. wherein said 
step of inserting includes: 

inserting a master unit including a master com- 
puter and a master wide bus gate, card which 
constitutes a master decision maker, and a 
slave unit inclMding a slave computer and a 
slave wide bus . gate card which constitutes a 
communication slave, by coupling said, master 
computer to the trusted network, coupling said 
master wide. bus gate card to said slave wide 
bus gate card, and coupling said slave compu- 
ter to sakJ nonrtrusted netvyork. 

15. The method according to- either of claims 13 and 
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14, further including the steps of: 



said data signature. 



initiating a data import process by said master 
unit or by said slave unit with approval of said 
master unit; 

' transporting data from said non-trusted net- 
work to said slave computer: 
signing said data with a data signature; 
transporting said signed data from sard slave 

* computer to said slave wide bus gate 
transporting said data from said slave wide 6us 
gate card to said master wide bus gate card; 
encoding said data using a key generated by 
and known only to said master 'wide'' bu^ gate 
card; ' ^ ' ' ' " ' 

transporting said encoded data^'from said mas- 
ter wide bus gate card to said master compu- 
ter; ■ 

verifying said data signature; and ' - ' ' 
examining said data in said master corr^juter or 
providing a delete command in accordance wit 
the result of said step of verifying iaid data sig- 
nature. 

16. The method according to claim 15, wherein said 
step of examining includes examining said encoded 
data while it is still encoded. ' 

17. The method according to claim IsrwherieiH said 
step of examining i riclijdes ; ■ ' " ■ ^ ■ " ' 

providing said key from said master wide bus 
gate card to said master computer; 
decoding said encodied data; and 
examining said decoded data. 



19. The method according to claim 18, further including 
the step of examining said data in said master com- 

5 puter to authenticate said data owner after said 

step of signing. 

20. The method according to claim 15, further compris- 
ing the step of examining, in said master unit, the 

TO data to be transported before transporting said data 
to oi' from the trusted network. 

21. the method according to claim 18, further compris- 
ing the step of examining, in said master unit, the 

15 data to be transported before transporting said data 
to or from the trusted network. 

22. The rnethod according to either of claims 20 and 
21 , further including the step of reading said data to 

20 be transf!>6rted as Static data, and wherein said Step 
of examining includes examining said static data for 
improper authorization and hostile programs. 

23. The method according to any of claims 13 to 22, 
25 wherein the non-trusted network is the Internet. 

24. The method according to claim 23. further including 
the steps of: 

3£? inputting a list of sites to be imported into said 

master unit; 

causing said piaster unit to instruct said slave 
uhit to import specific site data; 
examining said site data; and 
35 * copying said site data into the trusted network. 



18. The method according to claim 13, further including 25. 
the steps of: 



The method according to any of claims 13 to 22. 
wherein said non-trusted network includes a fax 
server. 



initiating a data export process by said master 40 
unit or by said slave unit with the approval of 
said master unit; 

transporting data from a data owner in the 
trusted network to said master computer;" ' * 
signing said data with a data signature; 45 
transporting said data from said master com- 
puter to said master wide bus gate card; 
transporting said data from said nnaster wide 
bus gate card to said slave widetus gate card; 
encoding said datia using a key generated by so 
and known only to said slave wide bus gate 
=card; • ' • '* •'■ • • 

transporting said encoded datk frorh slave wide 
bus gate card to said slave corrputer ; 
verifying said data signature; 55 
and transporting said data froni slave computer 
to said non-trusted network or deleting said 
data, in accordance with the results of verifying 



26. The method according to any of claims 13 to 25, 
further comprising the steps of importing confiden- 
tial files from all over the trusted network into a 
backup network, that is coupled only to said master 
unit or said slave unit. 

27. The method according to any of claims 13 to 26, 
• further comprising the steps of: 

encrypting data to be passed through said 
master uhit or said slave unit over an encrypted 
channel; 

causing the unit which receives said encrypted 
data over the encrypted channel internally to 
decrypt said data; 

examining said decrypted data for hostile con- 
tent; and 

if there is no hostile content, encrypting said 
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